DEV544: Secure Coding in .NET: Developing Defensible Applications

This course illustrated just how easy it is to write exploitable code and how to prevent the attacks.

Brian Scoggins, TransCard, LLC

This class should be required for anyone in the field of software development.

Attendee, Meijer

ASP.NET and the .NET framework have provided web developers with tools that allow them an unprecedented degree of flexibility and productivity. On the other hand, these sophisticated tools make it easier than ever to miss the little details that allow security vulnerabilities to creep into an application. Since ASP.NET, 2.0 Microsoft has done a fantastic job of integrating security into the ASP.NET framework, but the responsibility is still on application developers to understand the limitations of the framework and ensure that their own code is secure.

Have you ever wondered if the built-in ASP.NET validation is effective? Have you been concerned that web services might be introducing unexamined security issues into your application? Should you feel uneasy relying solely on the security controls built into the ASP.NET framework? The Secure Coding in .NET course will help students leverage built-in and custom defensive technologies to integrate security into their applications.

What Does the Course Cover?

This is a comprehensive course covering a huge set of skills and knowledge. It's not a high-level theory course. It's about real programming. In this course you will examine actual code, work with real tools, build applications, and gain confidence in the resources you need for the journey to improving the security of .NET applications.

Rather than teaching students to use a set of tools, we're teaching students concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw, and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The class culminates with a security review of a real-world open source application. You will write custom static analysis rules to discover .NET vulnerabilities, conduct a code review, review a penetration test report, perform security testing to actually exploit real vulnerabilities, and finally, using the secure coding techniques that you have learned in class, implement fixes for these issues.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify that processes exist that require training in secure coding techniques for developers. If your application processes cardholder data and you are required to meet PCI compliance, then this course is for you.

Be secure. Before you're next.

You Will Learn To:

Understand the attacker's methodology and how they will attack your web application

Course Syllabus

DEV544.1: Data Validation

Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. Beginning on the first day, you will learn about some of the most prevalent web applications vulnerabilities such as XSS, SQL Injection, Open Redirects, and Parameter Manipulation. You will see how to find these issues and how to recreate them in a running application. Then you will use a variety of methods to actually fix these vulnerabilities in your C# code.

The course is full of hands on exercises where you can apply practical data validation techniques that you can use to prevent common attacks with defense ranging from input validation, output encoding, and use of new techniques like Content Security Policy.

CPE/CMU Credits: 6

Topics

Web Application Attacks

Web Application Proxies

Parameter Manipulation

Cross-Site Scripting (XSS)

Open Redirect

Unvalidated Forwards

SQL Injection

HTTP Response Splitting

Input Validation

Indirect Selection

Blacklists

Whitelists

Regular Expressions

Event Validation

Character Encoding

Command Encoding

Content Security Policy

LINQ & Entity Framework

DEV544.2: Authentication & Session Management

Overview

Authentication, authorization, and session management vulnerabilities are commonly exploited by attackers to gain unauthorized access to web applications. In this section, you will learn about various authentication and authorization attacks such as man-in-the-middle, cross-site request forgery, clickjacking, and session hijacking. Then, you will use a variety of techniques to fix these vulnerabilities in an ASP.NET web application.

CPE/CMU Credits: 6

Topics

Authentication Factors

Authentication Attacks

Authorization Attacks

Password Management

ASP.NET Identity

Forms Authentication & Membership Provider

Race Conditions

Session Identifiers

Man-in-the-middle (MITM) Attacks

Cross-Site Request Forgery (CSRF)

Clickjacking

Session Hijacking

Session Fixation

Session Management

Cookie Security

DEV544.3: .NET Framework Security

Overview

A secure architecture is critical for mission critical .NET applications. You will learn about various built-in .NET security features such as cryptography, password storage, web service security and many other .NET features you should consider while writing secure code. A number of hand-on exercises will guide you through writing a cryptography utility for storing sensitive data and user passwords, protecting data in memory, exploiting a running application using DLL Injection, and much more.

CPE/CMU Credits: 6

Topics

Cryptography

Password Storage

PCI Compliance

Threading

String Immutability

Numeric Overflow

Risks of Malicious Code

Exception Handling

Auditing and Logging

Web Services

DEV544.4: Secure Software Development Lifecycle

Overview

We will take a look at each phase of the SDLC and discuss how security fits into the process. Using what you have learned about application vulnerabilities, you will get the opportunity to write static analysis rules to identify insecure code. Then, you will then perform security testing and actually exploit these weaknesses. Once they have been exploited, you will then fix them using the secure coding techniques you have learned in class.

CPE/CMU Credits: 6

Topics

Security Training

Security Requirements

Secure Design

Threat Modeling

Implementation

Static Analysis

Roslyn Diagnostic Analyzers

Peer Reviews

Secure Code Review

Verification

Dynamic Analysis

Penetration Test Reports

Release

Response

Additional Information

Laptop Required

!!IMPORTANT - PLEASE PLAN ON ARRIVING AT CLASS AT LEAST 30 MINUTES EARLY THE FIRST MORNING TO SET UP THE VIRTUAL MACHINE BEFORE CLASS STARTS. - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Please download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to class beginning. If you own a licensed copy of VMware, make sure it is at least VMware Workstation 11, VMware Fusion 7.0, or VMware Workstation Player 11. If you do not own a licensed copy of VMware, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their web site.

VMware Workstation Player is a free download that does not need a commercial license. Most students find VMware Workstation Player adequate for the course.

Make sure you have a working USB drive. The course VM will be copied onto your laptop from a USB key provided by SANS.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

This course is intended for:

ASP.NET developers who want to build more secure web applications

.NET framework developers

Software engineers

Software architects

Developers who need to be trained in secure coding techniques to meet PCI compliance

This class is focused specifically on software development, but it is accessible enough for anyone who's comfortable working with code and has an interest in understanding the developer's perspective. This could include:

Application security auditors

Technical project managers

Senior software QA specialists

Penetration testers who want a deeper understanding of how to target ASP.NET web applications or who want to provide more detailed vulnerability remediation options

Prerequisites

Students should have the following:

At least one year of experience working with ASP.NET and the .NET framework

Experience with programming in ASP.NET using either Visual Basic or C#. All class work will be performed in C#

A thorough knowledge of Web technology

While this class briefly reviews basic web attacks, a prior understanding of web application vulnerabilities (i.e. the OWASP Top 10) is recommended.

"This course illustrated just how easy it is to write exploitable code and how to prevent the attacks." - Brian Scoggins, TransCard, LLC

Author Statement

Developers are always up against rigid deadlines, sparse and changing requirements and constant production support issues, which leaves little time for keeping up with the current threats and defenses and inevitably makes security an afterthought. Bolting security on at the end of the development phase leaves applications vulnerable and requires significantly more effort than if the applications were architected with security in mind at the beginning. CWE defines approximately 658 software weaknesses that can be introduced at different points in the software development lifecycle, and an attacker only needs to expose one of these while developers feel pressure to defend against them all. The goal of this course is not to teach developers how to write 100% secure code, but instead to help developers change their mindset to developing defensible code from the early stages of the SDL. This will allow applications to withstand an attack and provide feedback when under attack, so organizations can adjust and adapt to the changing threat landscape.

This course covers common attacks, including applicable topics from the CWE/SANS Top 25 Most Dangerous Programming Errors, the OWASP Top 10, and deficiencies in the .NET framework, while also providing solid defensive techniques. This course will change the way developers approach the design and implementation of software. Take part in this exciting class and arm yourself with the knowledge to protect your .NET applications.